[Openswan Users] Linux and Cisco VPN don´t connect

Michael H. Warfield mhw at WittsEnd.com
Tue Aug 30 20:06:55 EDT 2011 

On Tue, 2011-08-30 at 17:22 -0500, Listas Ayuda wrote: 
> Regards
> I'm  configuring one VPN between Untangle v 9.0.2 (Debian Linux) and
> Cisco VPN 5540 Series but don`t work. My openswan version is: 2.6.28

The start of your answer is in those logs.

> Config is next:

> UNTANGLE:

> Description: Untangle VPN
> Connection Type: Tunnel
> Auto Mode:  Start
> Interface:External
> External IP: 190.154.14.230 (this ip is only for this example..)
> Remote IP: 186.10.29.40 (this ip is only for this example..)
> Local Network: 192.168.210.0/30
> Local IP:192.168.210.1
> Remote Network: 172.27.2.0/2
> Perfect Forward Secrecy (PFS) : checked

Ah...  "Checked?"  How are you configuring this???

> Shared Secret: constitucionalmentefregado

I see a description of a config.  I don't see an actual config.  Cut and
paste the conn definitions, obfuscating the addresses if you must.

> CISCO:

> crypto ipsec transform-set RC-MF-2 esp-3des esp-sha-hmac 
> crypto ipsec security-association lifetime seconds 3600
> crypto ipsec security-association lifetime kilobytes 4608000
> crypto map RC-MF-2 70 match address acl-VPN-RC-MF-2
> crypto map RC-MF-2 70 set pfs 
> crypto map RC-MF-2 70 set peer 190.154.14.230 
> crypto map RC-MF-2 70 set transform-set RC-MF-2
> crypto map RC-MF-2 interface LC-ASA
> crypto isakmp identity hostname 
> crypto isakmp enable LC-ASA
> crypto isakmp policy 70
>  authentication pre-share
>  encryption 3des
>  hash sha
>  group 2
>  lifetime 86400
> crypto isakmp nat-traversal 3600
> tunnel-group 190.154.14.230 type ipsec-l2l
> tunnel-group 190.154.14.230 ipsec-attributes
>  pre-shared-key *
>  peer-id-validate nocheck

> Log return in untangle is:

> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_add(): ERROR: Algorithm already exists
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_add(): ERROR: Algorithm already exists
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_add(): ERROR: Algorithm already exists
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_add(): ERROR: Algorithm already exists
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_add(): ERROR: Algorithm already exists
> Aug 30 16:44:12 untangle pluto[29536]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
> Aug 30 16:44:12 untangle pluto[29536]: myid malformed: empty string ""
> Aug 30 16:44:12 untangle pluto[29536]: Changed path to directory '/etc/ipsec.d/cacerts'
> Aug 30 16:44:12 untangle pluto[29536]: Changed path to directory '/etc/ipsec.d/aacerts'
> Aug 30 16:44:12 untangle pluto[29536]: Changed path to directory '/etc/ipsec.d/ocspcerts'
> Aug 30 16:44:12 untangle pluto[29536]: Changing to directory '/etc/ipsec.d/crls'
> Aug 30 16:44:12 untangle pluto[29536]:   Warning: empty directory
> Aug 30 16:44:12 untangle pluto[29536]: added connection description "UT6_Untangle_VPN"
> Aug 30 16:44:12 untangle pluto[29536]: listening for IKE messages
> Aug 30 16:44:12 untangle pluto[29536]: adding interface utun/utun 192.0.2.43:500
> Aug 30 16:44:12 untangle pluto[29536]: adding interface dummy0/dummy0 192.0.2.42:500
> Aug 30 16:44:12 untangle pluto[29536]: adding interface eth2/eth2 192.168.210.1:500
> Aug 30 16:44:12 untangle pluto[29536]: adding interface eth1/eth1 190.154.250.211:500
> Aug 30 16:44:12 untangle pluto[29536]: adding interface eth0/eth0 190.154.14.230:500
> Aug 30 16:44:12 untangle pluto[29536]: adding interface lo/lo 127.0.0.1:500
> Aug 30 16:44:12 untangle pluto[29536]: loading secrets from "/etc/ipsec.secrets"
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: initiating Main Mode
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: received Vendor ID payload [Cisco-Unity]
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: received Vendor ID payload [XAUTH]

Ok...  Lets start here (it's not your problem but it maybe your next
problem once you solve your first problem).  Do you have XAUTH
configured?  I don't see anything from your "config" above to tell me.

> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: ignoring unknown Vendor ID payload [3d01f6d3afa543a80902fef28c3240f7]
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: received Vendor ID payload [Dead Peer Detection]
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: Main mode peer ID is ID_FQDN: '@eFW-5540-EXT.domain.com'
> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: we require peer to have ID '186.10.29.40', but peer declares '@eFW-5540-EXT.domain.com'

Bingo!  There's your first problem.  You've got an identifier mismatch.
Nothing below this matters at this point.  Stop, do not pass go, do not
collect 200 euro.  You have to fix this first.

In your config, you've probably got something like "rightid=
${NAME_OF_MACHINE}" or IP address or what ever.  You need to get that
remote ID right before you move to the next square.  For XAUTH to work,
you probably need to set your local (left by convention) to the XAUTH
group name.  For the remote ID, it looks like you need to configure it
in a way I haven't needed to.  Here's a snippet from one of my working
configs...

conn xxxxx
        # US
        leftid=@Linux
        leftxauthclient=yes
        leftxauthusername=mhw@{FQDN}
        leftmodecfgclient=yes
        # Cisco ASA
        right=xxx.xxx.xxx.xx
        rightsubnet=xxx.xxx.xxx.xxx/16
        rightxauthserver=yes
        rightmodecfgserver=yes
        # General settings
             :
             :

I can't tell how you're trying to configure it or how that concentrator
is configured.  I will say too that, if it requires a Windows domain
name or other parameters supported under the XAUTH protocol, you may be
in trouble because we (I) haven't completed the support yet.

> Aug 30 16:44:12 untangle pluto[29536]: "UT6_Untangle_VPN" #1: sending encrypted notification INVALID_ID_INFORMATION to 186.10.29.40:500
> Aug 30 16:44:23 untangle pluto[29536]: "UT6_Untangle_VPN" #1: next payload type of ISAKMP Hash Payload has an unknown value: 243
> Aug 30 16:44:23 untangle pluto[29536]: "UT6_Untangle_VPN" #1: malformed payload in packet
> Aug 30 16:44:23 untangle pluto[29536]: | payload malformed after IV
> Aug 30 16:44:23 untangle pluto[29536]: |   23 51 a0 6b  4b 20 b6 f4
> Aug 30 16:44:23 untangle pluto[29536]: "UT6_Untangle_VPN" #1: sending notification PAYLOAD_MALFORMED to 186.10.29.40:500
> Aug 30 16:44:25 untangle pluto[29536]: "UT6_Untangle_VPN" #1: next payload type of ISAKMP Hash Payload has an unknown value: 126
> Aug 30 16:44:25 untangle pluto[29536]: "UT6_Untangle_VPN" #1: malformed payload in packet
> Aug 30 16:44:25 untangle pluto[29536]: | payload malformed after IV
> Aug 30 16:44:25 untangle pluto[29536]: |   23 51 a0 6b  4b 20 b6 f4
> Aug 30 16:44:25 untangle pluto[29536]: "UT6_Untangle_VPN" #1: sending notification PAYLOAD_MALFORMED to 186.10.29.40:500
> Aug 30 16:44:27 untangle pluto[29536]: "UT6_Untangle_VPN" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
> Aug 30 16:44:27 untangle pluto[29536]: "UT6_Untangle_VPN" #1: malformed payload in packet
> Aug 30 16:44:27 untangle pluto[29536]: | payload malformed after IV
> Aug 30 16:44:27 untangle pluto[29536]: |   23 51 a0 6b  4b 20 b6 f4
> 
> 
> What is the problem. Thank you for your help.
> 
> Attm
> Roberto
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110830/90d134d0/attachment.bin

More information about the Users mailing list